Data Privacy Laws & Regulations

There are several data protection and privacy laws around the world. These laws aim to regulate the collection, use, and storage of personal data by organizations and give individuals more control over their personal information. They set strict rules on obtaining consent, securing personal information, and reporting data breaches. Pandectes helps Shopify stores comply with these data privacy laws & regulations.

CCPA & CPRA

California Consumer Privacy Act & California Privacy Rights Act

What is the CCPA & CPRA?

The California Consumer Privacy Act (CCPA) is a privacy law that regulates how businesses operating in California, USA must handle personal information of California residents.

The California Privacy Rights Act (CPRA) is a ballot initiative passed by California voters in November 2020, it is an amendment of the CCPA, which expands the rights of California residents and the obligations of businesses in regard to the collection, use, and sharing of personal information.

When will the CCPA & CPRA go into effect?

The California Consumer Privacy Act (CCPA) went into effect on January 1st, 2020. The California Privacy Rights Act (CPRA) was passed by California voters in November 2020 as a ballot initiative. However, it will not go into effect until 2023.

How do I achieve compliance?

Achieving compliance can be done by some key steps:

Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
Update your privacy notice to reflect the new rights of California residents under the CCPA and CPRA, and provide a specific “Do Not Sell My Personal Information” link on the homepage of your website.

What happens if I don’t comply with the CCPA & CPRA?

The fines for CCPA can be up to $2,500 per violation or $7,500 per intentional violation. The fines for CPRA are higher and can be up to $7,500 for each violation and $2,500 for each unintentional violation.

CPA

Colorado Privacy Act

What is the CPA?

The Colorado Privacy Act (CPA) grants Colorado residents certain data rights and places responsibilities on data controllers and processors. It is comparable to the California Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (CDPA), and draws from the EU’s General Data Protection Regulation (GDPR). Common features include opt-out provisions for data collection and processing, protection for sensitive data, and the application of privacy-by-design principles. However, there are significant differences in the specifics, as noted by privacy attorney Kirk Nahra from Wilmer Hale. For example, the CPA and the CPRA differ in their definitions of “sensitive data,” requiring careful examination for compliance. The definition of sensitive data under the CPA, among other provisions, will be further explored in subsequent discussions.

When will the CPA go into effect?

The CPA tasked the Colorado Attorney General with implementing and enforcing the CPA, including adopting new rules. The CPA is a part of the State of Colorado’s Consumer Protection Act and goes into effect July 1, 2023.

How do I achieve compliance?

Understanding the Act
Identify and Classify Data
Review Your Data Collection Practices
Review Your Data Processing Activities
Implement Mechanisms for User Requests
Security Measures
Data Protection Impact Assessments
Training
Contracts with Third Parties

What happens if I don’t comply with the CPA? The Colorado Privacy Act (CPA) doesn’t specify penalties for violations, instead treating them as deceptive trade practices under the Colorado Consumer Protection Act, with fines ranging from $2,000 to $20,000 per violation and potential criminal charges. The CPA is enforced by the Colorado attorney general and district attorneys, who implement injunctions, penalties, and settlements, but it does not provide a private right of action, preventing individuals from filing lawsuits against businesses for rights violations. A notice of violation is issued before enforcement, providing a 60-day cure period to rectify the violation. After January 1, 2025, the cure period will be replaced by an option to request interpretative guidance and opinion letters from the attorney general’s office.

CTDPA

Connecticut Data Privacy Act

What is the CTDPA?

Effective from May 10, 2022, the CTDPA (Connecticut Data Privacy Act) grants Connecticut residents increased control over their personal data. Under this act, a consumer is defined as a resident of the state who acts on their own behalf and not in a commercial or employment context. This distinguishes it from states like California, where employees receive data privacy protection under the CPRA (California Privacy Rights Act).

While the CTDPA incorporates many similar provisions found in data privacy acts of other states, it closely resembles the regulations in Colorado (CPA) and Virginia (CDPA).

When will the CTDPA go into effect?

As state-level data protection legislation steadily expands, one of the country’s early comprehensive privacy laws to be enacted, the Connecticut Data Privacy Act (CTDPA), will take effect on July 1, 2023.

How do I achieve compliance?

Determine if your company is required to comply
Create a comprehensive Privacy Policy
Inform users about their rights
As a best practice, review and update your Privacy Policy or Notice every 12 months
Enable clear options when consent is required
Authenticate consent for collection of sensitive personal data or data from minors
Enable consumers to make Data Subject Access Requests (DSARs)
Set up a system to verify Data Subject Access Requests (DSARs)
Keep track of Data Subject Access Requests (DSARs)
Fulfill Data Subject Access Requests DSARs)

What happens if I don’t comply with the CTDPA?

The Connecticut Attorney General possesses the power to enforce violations and impose fines of up to $5,000 per violation. Furthermore, the Attorney General can issue orders to prevent offenders from breaking the law, require them to compensate victims, and demand disgorgement of any profits obtained through illegal activities.

MCDPA

Montana Consumer Data Protection Act

What is the MCDPA?

The Montana Consumer Data Protection Act (MCDPA) provides Montana residents with certain rights pertaining to their data and imposes obligations on those who control and process data. It shares some similarities with other state laws such as the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA), as well as draws inspiration from the EU’s General Data Protection Regulation (GDPR).

When will the MCDPA go into effect?

The Montana Consumer Data Protection Act (MCDPA) was signed into law and will become effective on July 1, 2025.

How do I achieve compliance?

Achieving compliance can be done by following some key steps:

Provide a Cookie Banner: Ensure your website includes a cookie banner that gives visitors the option to opt-out.
Update Privacy Notice: Update your privacy notice to reflect the new rights of Montana residents under the MCDPA. Include a specific “Do Not Sell My Personal Information” link on the homepage of your website.

What happens if I don’t comply with the MCDPA?

Violations of the MCDPA are considered deceptive trade practices and will be dealt with under the Montana Consumer Protection Act. While the MCDPA does not specify exact fines, violators could face substantial penalties as determined by the Montana Attorney General. Potential fines and penalties can vary, but non-compliance could also result in criminal charges.

OCDPA

Oregon Consumer Data Privacy Act

What is the OCDPA?

The Oregon Consumer Data Privacy Act (OCDPA) is a data privacy law that regulates how businesses handle personal data of Oregon residents.

It applies to companies that conduct business in Oregon and meet certain thresholds in terms of revenue and data processing. The OCDPA is considered one of the most stringent data protection laws in the US, and it is similar to the California Consumer Privacy Act (CCPA).

When will the OCDPA go into effect?

The OCDPA tasks the Oregon Attorney General with implementing and enforcing the OCDPA, including adopting new rules. The OCDPA is a part of the State of Oregon’s Unlawful Trade Practices Act and goes into effect on July 1, 2025.

How do I achieve compliance?

Achieving compliance can be done by following some key steps:

Provide a Cookie Banner: Ensure your website includes a cookie banner that gives visitors the option to opt-out.
Update Privacy Notice: Update your privacy notice to reflect the new rights of Oregon residents under the OCDPA. Include a specific “Do Not Sell My Personal Information” link on the homepage of your website.

What happens if I don’t comply with the OCDPA?

The OCDPA doesn’t specify the penalties or fines that violators will have to pay. However, violations of the regulation are considered a deceptive trade practice. This means that violations will be dealt with as per the Oregon Unlawful Trade Practices Act.

TDPSA

Texas Data Privacy and Security Act

What is the TDPSA?

The Texas Data Privacy and Security Act (TDPSA) provides Texas residents with certain rights pertaining to their data and imposes obligations on those who control and process data. It shares some similarities with other state laws such as the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA), as well as draws inspiration from the EU’s General Data Protection Regulation (GDPR).

When will the TDPSA go into effect?

The TDPSA tasks the Texas Attorney General with implementing and enforcing the TDPSA, including adopting new rules. The TDPSA is a part of the State of Texas’s Deceptive Trade Practices-Consumer Protection Act and goes into effect on July 1, 2025.

How do I achieve compliance?

Determine if your company is required to comply
Create a comprehensive Privacy Policy
Inform users about their rights
As a best practice, review and update your Privacy Policy or Notice every 12 months
Enable clear options when consent is required
Authenticate consent for collection of sensitive personal data or data from minors
Enable consumers to make Data Subject Access Requests (DSARs)
Set up a system to verify Data Subject Access Requests (DSARs)
Keep track of Data Subject Access Requests (DSARs)
Fulfill Data Subject Access Requests DSARs)

What happens if I don’t comply with the TDPSA? The TDPSA doesn’t specify the penalties or fines that violators will have to pay. However, violations of the regulation are considered a deceptive trade practice. This means that violations will be dealt with as per the Texas Deceptive Trade Practices-Consumer Protection Act.

UCPA

Utah Consumer Privacy Act

What is the UCPA?

The Utah Consumer Privacy Act (UCPA), enacted on March 24, 2022, is a data privacy law that protects the privacy rights of Utah residents and sets rules for businesses in the state. It concentrates on the sale of personal data and targeted advertising, defining a sale as the exchange of personal data for monetary consideration to a third party. Unlike the California Privacy Rights Act (CPRA), the UCPA does not consider data sharing and does not view targeted advertising as a direct transaction with the consumer. The law follows an opt-out model, permitting the collection, sale, and use of personal data for targeted advertising without explicit consent, except for children’s data. Consumers can opt out of the sale of their data or its use for targeted advertising, and businesses must provide them with this option.

When will the UCPA go into effect?

Scheduled to take effect on December 31, 2023, the Utah Consumer Privacy Act (UCPA) serves as Utah’s data privacy law. It grants consumers certain rights while imposing obligations on businesses operating within the state.

How do I achieve compliance?

Determine if your company is required to comply
Create a comprehensive Privacy Policy
Inform users about their rights
As a best practice, review and update your Privacy Policy or Notice every 12 months
Enable clear options when consent is required
Authenticate consent for collection of sensitive personal data or data from minors
Enable consumers to make Data Subject Access Requests (DSARs)
Set up a system to verify Data Subject Access Requests (DSARs)
Keep track of Data Subject Access Requests (DSARs)
Fulfill Data Subject Access Requests DSARs)

What happens if I don’t comply with the UCPA? Under the UCPA, enforcement occurs at multiple levels, with the Division of Consumer Protection collecting consumer complaints and investigating potential violations. If a controller or processor continues to violate UCPA provisions despite providing an express written statement, the attorney general has the authority to take enforcement action, which may result in fines of up to $7,500.

VCDPA

Virginia Consumer Data Protection Act

What is the VCDPA?

The Virginia Consumer Data Protection Act (VCDPA) is a data privacy law that regulates how businesses handle personal data of Virginia residents.

It applies to companies that conduct business in Virginia and meet certain thresholds in terms of revenue and data processing. The VCDPA is considered as one of the most stringent data protection laws in the US, and it is similar to the California Consumer Privacy Act (CCPA).

When will the VCDPA go into effect? The Virginia Consumer Data Protection Act (VCDPA) was signed into law on March 2, 2021, and it will become effective on January 1, 2023.

How do I achieve compliance?

Achieving compliance can be done by some key steps:

Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
Update Privacy Notice: Update your privacy notice to reflect the new rights of Virginia residents under the VCDPA, and provide a specific “Do Not Sell My Personal Information” link on the homepage of your website.

What happens if I don’t comply with the VCDPA? The fines can be up to $7,500 for each violation or $750 per day for each day of a continuing violation, but not exceeding $2.5 million.

LGPD

Lei Geral de Proteção de Dados Pessoais

What is the LGPD?

The Brazilian General Data Protection Law (LGPD) is a data protection law that regulates the collection, use, and storage of personal data of Brazilian citizens. It came into effect on August 2020. It is considered one of the most comprehensive data protection laws in Latin America and is similar to the EU’s General Data Protection Regulation (GDPR).

When will the LGPD go into effect? The Brazilian General Data Protection Law (LGPD) went into effect on August 14th, 2020. However, the National Data Protection Authority (ANPD) has implemented a transitional period until August 2021, in which it will prioritize guidance, education and awareness-raising over fines and penalties for non-compliance with the LGPD.

How do I achieve compliance?

Achieving compliance can be done by some key steps:

Provide a cookie banner giving the option to the visitors to opt-in or opt-out which will be applied to your store cookies and scripts.
Prepare a privacy policy page with cookies declaration.
Provide a way to customers to make data requests.

What happens if I don’t comply with the LGPD? The fines can be up to 2% of the company’s gross revenue or up to 50 million reais (which is the equivalent of around 8.5 million US dollars) whichever is higher.

PIPEDA

Personal Information Protection and Electronic Documents Act

What is the PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law that governs how organizations collect, use, and disclose personal information in the course of commercial activities. It applies to all private sector organizations engaged in commercial activities and sets out the rules for how personal information should be handled.

It establishes principles such as obtaining meaningful consent for the collection, use, and disclosure of personal information, providing individuals with access to their personal information, and protecting personal information through appropriate security measures.

When will the PIPEDA go into effect?

The Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect on January 1st, 2001. However, it was not fully enforced until January 1st, 2004, after a 3-year transition period.

How do I achieve compliance?

Achieving compliance can be done by some key steps:

Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
Update Policies and Procedures: Review and update your policies and procedures to ensure they comply with PIPEDA requirements, such as obtaining consent, providing transparent information, and allowing individuals to exercise their rights.

What happens if I don’t comply with the PIPEDA?
Organizations can be ordered to pay Administrative Monetary Penalties of up to $10,000 for each violation of the Act.

The Privacy Commissioner of Canada can issue compliance orders requiring organizations to take specific actions to come into compliance with PIPEDA.

Japan APPI

Act on the Protection of Personal Information

What is the APPI?

The Act on the Protection of Personal Information (APPI) is Japan’s national data protection legislation. The APPI aims to protect the personal information of individuals by regulating the collection, use, and disclosure of personal data by organizations. It establishes principles such as obtaining consent for the collection, use and disclosure of personal information, providing individuals with access to their personal information, and protecting personal information through appropriate security measures.

When will the APPI go into effect? The Act on the Protection of Personal Information (APPI) was first enacted in 2003 and came into effect in April 1st, 2005. However, it was amended in 2015, and the amendment to the APPI came into effect in May 30th, 2017.

How do I achieve compliance?

Achieving compliance can be done through some key steps:

Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
Prepare a privacy policy page with cookie declaration.
Give the option to the visitor to check existing consent and change preferences.

What happens if I don’t comply with the APPI?
The Personal Information Protection Commission (PPC), which is responsible for enforcing the APPI, has the power to impose administrative fines for non-compliance. The fines can be up to JPY 1,000,000 (around 9,300 USD).

Thailand PDPA

Personal Data Protection Act

What is the PDPA?

The Thailand Personal Data Protection Act (PDPA) is a data protection law in Thailand. It aims to protect the personal data of individuals by regulating the collection, use, and disclosure of personal data by organizations. It establishes principles such as obtaining consent for the collection, use, and disclosure of personal data, providing individuals with access to their personal data, and protecting personal data through appropriate security measures.

When will the PDPA go into effect?

The Thailand Personal Data Protection Act (PDPA) was passed on May 27, 2019 and it came into effect on May 27, 2020. However, the Personal Data Protection Committee (PDPC) has implemented a grace period until May 26, 2021, during which it will prioritize guidance, education and awareness-raising over fines and penalties for non-compliance with the PDPA.

How do I achieve compliance?

Achieving compliance can be done by some key steps:

Provide a cookie banner giving the option to the visitors to opt-in or opt-out which will be applied to your store cookies and scripts.
Prepare a privacy policy page with cookies declaration.
Give the option to the visitor to check existing consent and change preferences.

What happens if I don’t comply with the PDPA?
The Personal Data Protection Committee (PDPC) has the power to impose administrative fines for non-compliance. The fines can be up to 5 million baht (around 160,000 USD) per violation.

Switzerland FADP

Federal Act on Data Protection

What is the FADP?

The Federal Act on Data Protection (FADP) in Switzerland has been updated to address modern digital challenges. Introduced in 1992, it was revised in 2020 with the New Federal Act on Data Protection (nFADP), set for implementation in September 2023. The nFADP focuses on protecting individual data, classifying genetic and biometric information as sensitive, and emphasizes principles like “Privacy by Design”. It aligns closely with the European GDPR, ensuring seamless data exchange between Switzerland and the EU.

When will the FADP go into effect? The Federal Act on Data Protection (FADP) is set to go into effect on September 1, 2023. This date marks the implementation of the revised FADP along with the related Ordinance to the FADP, which is expected to be issued by the Federal Council.

How do I achieve compliance? To achieve compliance with the FADP, familiarize yourself with its provisions, map out personal data flows within your organization, ensure data collection is purpose-specific, and implement robust security measures. Prioritize transparency with data subjects, address their rights, and regularly audit your processes. If transferring data outside Switzerland, ensure the receiving country has adequate protection. Maintain detailed records, stay updated on FADP changes, and consider seeking expert advice for clarity. Continuous commitment is essential for sustained compliance.

What happens if I don’t comply with the FADP?
If you don’t comply with the FADP, you risk facing financial penalties, civil claims from affected individuals, reputational damage, and enforcement actions by the FDPIC. Non-compliance can also hinder cross-border data transfers and disrupt business operations. It’s vital to prioritize adherence to avoid these consequences.

South Africa POPIA

Protection of Personal Information Act

What is the POPIA?

The Protection of Personal Information Act (POPIA) is South Africa’s comprehensive data protection law, designed to safeguard personal information processed by public and private bodies. Enacted in 2013, POPIA aligns with global data protection standards, emphasizing the right to privacy while balancing against other rights, such as access to information.

When will the POPIA go into effect?

The Protection of Personal Information Act (POPIA) in South Africa was signed into law on November 26, 2013. However, its provisions were enacted in stages. The final provisions of POPIA came into effect on July 1, 2020, marking the start of the enforcement of the Act. Importantly, there was a grace period given to organizations to ensure full compliance with the Act’s requirements, which ended on July 1, 2021. From July 1, 2021, onwards, all organizations processing personal information in South Africa are expected to comply with POPIA’s provisions or face potential penalties and enforcement actions.

How do I achieve compliance?

To achieve POPIA compliance, start by thoroughly understanding the requirements of the Act, including lawful data processing and data subject rights. Conduct an audit of all personal data you handle to identify what you collect and how it’s used. Appoint an Information Officer to oversee compliance efforts. Update your privacy policies and procedures to align with POPIA standards, ensuring they cover data collection, processing, and sharing. Implement systems to manage consent effectively and to allow individuals to exercise their rights to access, correct, or delete their data. Lastly, ensure robust security measures are in place to protect personal information against breaches, and establish clear protocols for responding to data breaches in compliance with POPIA’s notification requirements.

What happens if I don’t comply with the POPIA? Failing to comply with the Protection of Personal Information Act (POPIA) in South Africa can have significant repercussions, including hefty financial penalties up to R10 million, legal actions from data subjects seeking compensation, and serious reputational damage that can affect customer trust and business viability. Additionally, the Information Regulator may issue enforcement notices to rectify non-compliance, with further non-compliance leading to criminal prosecution of responsible individuals, potentially resulting in fines or imprisonment. Thus, adherence to POPIA is essential not only to avoid these punitive measures but also to safeguard personal information and uphold the reputation of your organization.

New Zealand NZPA

New Zealand Privacy Act

What is the NZPA? The New Zealand Privacy Act (NZPA) is New Zealand’s comprehensive data protection law, designed to safeguard personal information processed by public and private bodies. Enacted in 1993, the NZPA aligns with global data protection standards, emphasizing the right to privacy while balancing against other rights, such as access to information.

When will the NZPA go into effect?

The New Zealand Privacy Act (NZPA) was first enacted in 1993. However, its provisions have been updated over the years to keep pace with evolving privacy concerns. Significant amendments were made, with the most recent provisions coming into effect on December 1, 2020, marking the start of the enforcement of the updated Act.

Importantly, there was a grace period given to organizations to ensure full compliance with the Act’s requirements, which ended on December 1, 2021. From December 1, 2021, onwards, all organizations processing personal information in New Zealand are expected to comply with the NZPA’s provisions or face potential penalties and enforcement actions.

How do I achieve compliance? To achieve NZPA compliance, start by thoroughly understanding the requirements of the Act, including lawful data processing and data subject rights. Conduct an audit of all personal data you handle to identify what you collect and how it’s used. Appoint a Privacy Officer to oversee compliance efforts. Update your privacy policies and procedures to align with NZPA standards, ensuring they cover data collection, processing, and sharing. Implement systems to manage consent effectively and to allow individuals to exercise their rights to access, correct, or delete their data. Lastly, ensure robust security measures are in place to protect personal information against breaches, and establish clear protocols for responding to data breaches in compliance with NZPA’s notification requirements.

What happens if I don’t comply with the NZPA? Failing to comply with the New Zealand Privacy Act (NZPA) can have significant repercussions, including hefty financial penalties, legal actions from data subjects seeking compensation, and serious reputational damage that can affect customer trust and business viability. Additionally, the Office of the Privacy Commissioner (OPC) may issue compliance notices to rectify non-compliance, with further non-compliance leading to potential legal prosecution of responsible individuals, which may result in fines or other penalties. Thus, adherence to the NZPA is essential not only to avoid these punitive measures but also to safeguard personal information and uphold the reputation of your organization.

Australia APA

New Zealand Privacy Act

What is the APA? The Australian Privacy Act (APA) is Australia’s comprehensive data protection law, designed to safeguard personal information processed by public and private bodies. Enacted in 1988, the APA aligns with global data protection standards, emphasizing the right to privacy while balancing against other rights, such as access to information.

When will the APA go into effect? The Australian Privacy Act (APA) was first enacted in 1988. However, its provisions have been updated over the years to keep pace with evolving privacy concerns. Significant amendments were made, with the most recent provisions coming into effect on March 12, 2014, marking the start of the enforcement of the updated Act. Importantly, there was a grace period given to organizations to ensure full compliance with the Act’s requirements, which ended on March 12, 2015. From March 12, 2015, onwards, all organizations processing personal information in Australia are expected to comply with the APA’s provisions or face potential penalties and enforcement actions.

How do I achieve compliance? To achieve APA compliance, start by thoroughly understanding the requirements of the Act, including lawful data processing and data subject rights. Conduct an audit of all personal data you handle to identify what you collect and how it’s used. Appoint a Privacy Officer to oversee compliance efforts. Update your privacy policies and procedures to align with APA standards, ensuring they cover data collection, processing, and sharing. Implement systems to manage consent effectively and to allow individuals to exercise their rights to access, correct, or delete their data. Lastly, ensure robust security measures are in place to protect personal information against breaches, and establish clear protocols for responding to data breaches in compliance with APA’s notification requirements.

What happens if I don’t comply with the APA? Failing to comply with the Australian Privacy Act (APA) can result in various penalties and enforcement actions. The Office of the Australian Information Commissioner (OAIC), which is responsible for enforcing the APA, has the power to impose administrative fines for non-compliance. The fines can be significant, depending on the severity and nature of the violation.

Make your Shopify Store's use of cookies and online tracking compliant today